CLAIMS: 



1 . A programmable controller including: 

at least one user inpfut interface and an input register for connection to process plant 
and/or machinery to provide sampled and stored input data in digital form, 

at least one user output inta^ace and an output register for connection to process plant 
and/or madiineiy to receive and store output data in distal form, 

progranan^le logic hardware induding a plurality of basic logic eletnents and 
declricaUyconfiguraWeintacQttnections, saidintearoonnections configurable to interconnect the 
logic elements as a user control program circuit and to connect the user control program circuit 
to said input and ou^nit inter&ces, 

program ioadingmeans to enable the usear to configure theprogrammablelogk; hardware 
as a drouit implementing a visa control program prior to initiating control of the associated 
process plant and/or machinery. 

2. A programmable logic controller as daimed in daim 1 including ausw amttol pio^ajn 
implementfid as an electrical logic circuit in said pro^ammable logic hardware, with said user 
program circuit connected to said ii^t and output interfaces. 

3. A programmable controller as claimed in claim 2, for use with a monitoring device* and 
wherein: 

said progtammable logic as configured has a plurality of state data storage units storing 
&e user program circuit state data, and a means of access to said state data storage units, 

said monitoring device may be connected via said means of access to said state data 
storage units, and 

said means of access to said state data storage units enables said monitoring device to 
read data values from said state data storage units and to write data values to said state data 
storage units while the user control program continues to peiform control functions. 

4. A programmable conttoUer as claimed in claim 3 with an operating cyde of at least two 
non-oved^ing sequential intervals, and wherein. 

said input data register operates to sample and store the input data within a first said 
interval ("logic processing interval"), 
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said progrannnable logic ciicuit include clocking means that £^plies dodc pulses in said 
logic processizig interval as required by the user control program circuit, said logic processing 
interval allowing the user control program circuit signals to settle, and 

said means of access to said data storage imits enable said monitoring device to read data 
5 firom and/or write to said state data storage units duriag a second said interval ("data access 
interval*'). 

5. A programmable controller as claimed in claim 4 including means to support state data 
modification comprising: 

10 secondary modification data storage corresponding to said state data storage units, and 

a modification indicator corresponding to each said state data storage unit, said 
modificafion indicator and the contents of said secondary storage being writable by said 
monitoring device; and 

data modification means operative to perform within one said data access inten^al the 
15 steps of: 

scanning said modificafion indicators^ 

loading data stored in said secondary modification data storage units to said 
corresponding state data storage units if the corresponding modification indicator so indicates, 
and 

20 ratting said modification indicators* 

6. A programmable controU^ as claimed in daim 4 including means to sijppott state data 
forcing comprising: 

secondary modification data storage corresponding with said state data stor^e units 
2S a data forcing indicator for each said storage unit, said data forcing indicator and the ~ 

contents of said secondary stora^ being writable by said monitoring device; and 

data modification means optative to perform within one said data access interval the 
steps of: 

scanning said data fordng indicators* 

30 loadingdatastoredinsaidsecondaiystorageunitstosaidcon^espondingstatedatastora^ 
units if the corresponding data forcing indicator so indicates^ 
without resetting said data fi>rcing indicators. 
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7. A programmable controller as claimed in claim 4 including means to support program 
swap operations, adapted to petfonn, during said data access interval, the st^s of: 

reading and storing state data from said state data storage units, 

configuring anew user control program in said programmable logic by leconfiguring said 

programmable connections; and 

writing said stored state data, or modified stored state data, to corresponding newly 

configured state data storage units. 

8. A programmable controller as claimed in claim 4 with dupUcated hardware to fecilitate 
program swapping operations including: 

at least two sqwrately configurable sections of programmable logic hardware for 
separatdy configurable user control program circuits, 

ou^t selector means to sdectivdy connect one of said programmable logto haniware 
sections to said output interfaces via the output register, and 

means to support program swap operations adq>t6d to perform the steps of: 

configuring a new user control program in incoming said programmable logic hardware 
section not connected to said output inter&ce, and 

subsequaitly, all within one said data access interval: 

reading state data fiom said storage units of the outgoing said programmable logic 
hardware section, 

optionally writing the state data firom the outgoing said programmable logic hardware 
section into the mcoming said programmable logic hanlwai« section so that the data is written 
to the state data storage units that have the same user control program functitMis as those fiom 
which it was read, 

disconnecting said outgohig programmable logic hardware section fiom said output 
inter&ces, and 

connectmg said incoming programmable logic device to said output interface via the 
output register. 



9. Aprogrammablecontroller as claimedinclaim4includmgmeans to support relocati, 

ofstate data fiom file outgoingprograramable logic hardware section to the corresponding sts 
data storage unit in the incoming programmable logic hardware section including: 

relocation address storage corresponding with said state data storage units 
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secondary state data storage to save data from said state data storage iinits 
selection means to select either a non-rdocated address or a relocated address with which 
to access the said secondary state data storage, and 
data relocation means performing the steps of: 

(i) loading said secondary rcloc^on address storage with addresses supplied by said 
monitoring device; and within one said data access interval^ 

(ii) reading a state data bit &om a programmable logic hardware section, 

(iii) writing said state data bit into said secondary state data storage at an address 
stored in said relocation address storage, 

(iv) repeating steps (ii) and (iii) until all required bits have been relocated and 
transferred, 

(v) reading a state data bit from said secondary state data storage, 

(vi) writing said state data bit into the same or a different programmable logic 
hardware section at the same address at which it was located in said secondary 
state data storage^ and 

(vii) repeating steps (v) and (vi) until all required bits have been transferred 

10. A programmable controller as claimed in claim 2 including means to support circuit 
failure detection including 

at least two separately configurable sections of programmable logic hardware 
configurable with identical user control program circuits and with identical input values, and, 

failure detection means comparing a set of output values of each saidprogrammable logic 
section with the corresponding set of output values of each other section, and indicating feilure 
of said programmable logic hardware if the sets of settled output values of said sections are not 
identical. 

11. A programmable conJioller as claim^ in claim 2 including means to support circuit 
failure detection and conection including: 

at least three said 3q)arately configurable sections of programmable logic hardware 
configurable with identical user control program circuits and with identical input values, and 

failure detectionmeans to compare asetof output values of each said programmable logic 
hardware section with the corresponding set of output values of at least two other said sections, 
and 
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output processing means to pass a set of correct otrtput values to the control outpiits. via 
the output register and ensure incorrect output values as indicated by said failure detection means 
do not propagate to the control outputs; 

wherein said failure det^on means determines that a programmable logic hardware 
section has felled if the set of settled output values of said programmable logic hardware section 
is not idttitical to at least one of the sets of settled output values of the other programmable logic 
hardware sections, idmtifies any unmatched sets of outputs as coming fiom a failed 
programmable logic hardware section, and indicates the failure of that programmable logic 
hardware sectioxL 

12. Aprogrammable controller as claimed in claim 10 including a plurality of said failure 
detection means with the sets of outputs fiom each section of programmable logic hardware 
provided as inputs to each said &ilure detection means, and 

detection of afeQureby any one of the two or more failure detection means indicates that 
a failure has occurred* 

13, A programmable controller as claimed in claim 1 1 including a plurality of said failure 
detection and collection means with the sets of outputs from each of &e at least three sections 
of programmable logic hardware provided as inputs to each of the feilure detection and correction 
means, and wherein: 

indication of a difference between the sets of output values of any two sections of 
programmable logic hardware by any one or more of the failure detection means indicates that 
a Mure has occurred^ and 

at least two or more Mure detection circuits must agree that a particular section of 
programmable logic hardware is operating correctly before the set of output values ftom that said 
section is deemed to be correct, and 

said output processing means passes a set of correct output values to the control outputs 
via the output register and ensures incorrect output values, as indicated by said failure detection 
means, are not propagated to the control outputs- 

14 A programmable controller as claimed in claim 13 includmg exception evaluating and 

handlingmeans which ensures that the controller responds appropria^^^ 

of concurrently correct output values deemed desirable as a safety margin does not exist, the 
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miidmum said number being two. 



15. A prograimnabte controller as claimed in claim 2 wherein said programmable controller 
receives input signals from duplicate sensors and said user control program includes at least one 
input signal monitoring function block, said monitoring block determining the invalidity of an 
input signal by a comparison of said duplicate input signals using criteria defined as part of the 
fimction block as suitable to identify signals in enror, and indicating an input signal error if said 
input signal is deemed invalid. 

1 6. Aprogrammable controller as claimed in clafan 1 5 wh^in said duplicate s^ors include 
three or more matching sensors and the respective said input signal monitoring fimction block 
determines the invalidity of an input signal from a comparison of said matching input signals, 
and determines the invalid signal as the odd-one-out, and passes a singje copy of the valid signals 
as the input signal. 

17. A programmable controller as claimed in claim 4 including means to support circuit 
failure detection including 

at least two separately configurable sections of programmable logic hardware 
configurable with identical user control program circuits and with identical input values, and, 

failure detection means comparing a set of output values of eadi said programmable logic 
section with the corresponding set of output values of each other section, and indicating failure 
of said programmable logic hardware if the sets of settled ou^ut values of said sections are not 
identical 

18. A programmable controiler as claimed in claim 4 including means to siqjport circuit 
^lure detection and correction including; 

at least three said separately configurable sections of programmable logic hardware 
configurable with identical user control program circuits and with identical mput values, and 

failuredetectionmeanstocompareasetofoutputvalues of each said programmablelogi^ 
hardware section with the corresponding set of output values of at least two otiier said sections, 
and 

output processing means to pass a set of correct output values to the control ou^uts via 
the output register and ensure mcorrcct output values as indicated by said failure detection means 
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do not propagate to the control outputs; 

whercm said failure detection means determines that a programmable logic hardware 
section has foiled if the set of settled output values of said programmable logic hardware section 
is not identical to at least one of the sets of settled output values of the other programmable logic 
hardware sections, identifies any unmatched sets of outputs as coming from a failed 
programmable logic hardware section, and indicates the failure of that programmable logic 
hardware section. 

19. A programmable controller as claimed in claim 1 S includuig a plurality of said failure 
detection and correction means witti the $et$ of ou^uts ftom each of flie at least three sections 
of programmable logic hardware are provided as ii^uts to each of the feilure detection and 
correction means, and wherein: 

indication of a difference betwreen the sets of output values of any two sections of 
programmable logic hardware by any one or more of the failure detection means indicates ^at 
a &ilure has occurred^ and 

at least two or more failure detection circuits must agree that a particular section of 
programmable logic hardware is operating correctly before the set of output valu^ ftom that said 
section is deemed to be correct, and 

said ou^ut processing means passes a set of correct output values to the control outputs 
via the output register and ensures incorrect output values, as indicated by said failure detection 
means^ are not propagated to the control outputs. 

20* Aprogrammable controller as claimed m claim 4 wherein said programmable controller 
receives input signals from diq)licate sensors and said user control program includes at least one 
input signal monitoring function block, said monitoring block detennioing fee invalidity of an 
input signal by a comparison of said dupUcate input signals using criteria defined as part of the 
function block as suitable to identify signals in error, and indicating an mput signal error if said 
input signal is deemed invalid* 
as illustrated by the accompanying drawings. 
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